Microsoft SHA-1 Deprecation Plan – User’s Guide

Today, many in the security community believe SHA-1 hash algorithm is a legacy cryptographic and is no longer secure. An attacker may utilize weaknesses in SHA-1 to perform the man-in-the middle attacks, spoof the content, or perform phishing.

As announced in Microsoft Advisory and Microsoft Edge Official Blog, Microsoft, in collaboration with other members of the industry including various browser venders, is taking gradual steps to deprecate SHA-1 and warn users of the possible risk when they encounter websites using the SHA-1 certificate.

We have already started to remove the “lock icon” from the address bar in Microsoft Edge and Internet Explorer when browsing the websites with SHA-1 Certificate.

Update: We are updating our timelines to deprecate SHA-1 by mid-2017 to ensure compliance in all configurations and scenarios for Microsoft Edge and Internet Explorer 11. At that time, these browsers will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Additionally, the next release of Windows 10 will block SHA-1 by-default in the browser. Customers who would like to disable SHA-1 today may do so with the instructions in the Microsoft Edge Developer Blog


This post is to provide summary of the SHA-1 deprecation with infographics and user’s guidance to help you test ahead of time.

If you are a website administrator, please check your site to make sure your site won’t be alerted .

For the latest information, please see


– Yurika Muraki,  Security Program Manager,Customer Service & Support













Skip to main content